I have been working on a large project for about 4 months.
We have a "lead" that I constantly question.
The rules of the project (from the customer who has no background in IT) are
Only JavaScript will be used (Kendo UI package for CRUD).
It is to be "secured" with SSO - ADFSv2/ACS
It must have use Odata to interact with the database.
Please correct me if I am wrong, but does this not mean
A. This is clearly insecure. (after the initial login)
B. How can Kendo even handle database interaction (correctly) if it must update multiple tables?
There is another programmer currently working on a similar project and he is using Node.js for a web app that interacts with a Database.
Doesn't this suffer from a similar issue?
How does this client side CRUD work security and accurately?
Correct me if I am wrong, but it seem to me that you think that javascript directly access the database.
For that I see, Javascript is only used to manage the UI, and to contact (with Ajax ?) the server to update/create/delete entities.
It isn't insecure, but developers must ensure that the requested user's action is permitted (on server side).
Example : For a DELETE requested URL like https://myServer/myApp/Person/1, an user can modify this URL like https://myServer/myApp/Person/6 or https://myServer/myApp/Work/1.
So it must be verify that the user can delete a Person with id=6, or a Work with id=1.
Related
I am new to web development, but I am building a tool to help us visualize the customers in our database in a more concrete way (basically a CRM of sorts). Its a web app using a node.js backend and Vue.js for the front end.
THE BIG QUESTION - I found a connection.threadId query that can be run. If I save this threadID in a cooke or JSON web token, can I use this to have each user uniquely querying the database? If you need additional information on my issue, continue reading.
Essentially the problem I am running into is authentication. We were able to get a dummy user create that has read only privileges to the database, but this doesnt help the account management team. I am trying to find a way for them to be able to login with their own credentials and then be able to run queries from my node.js (javascript) backend using a series of get and post requests.
I am able to get the user to login with the SQL password and they can run the initial query (that fires upon login) but they then cannot re-query the database if someone else logs in after them (I realized that my variables were all globally scoped on the server.) I then moved everything client side in JSON web tokens, but I had to hash the database password to be safe which leaves me with another problem. My hash and the original database hash do not match, and that is not something I'll ever get access to. Not really sure where else to go with this at this point.
Please ask if you need any additional information to assist.
Thanks!
You probably can't.
You also probably shouldn't use variables on the SQL server for a web app like this. If you can refactor those into variables you can schlep around in the user session (or POST parameters or whatever), you're much better off, being more stateless (as far as the server components are concerned) and all too.
I have an html page that has a form and is communicating to a server via JSON requests, when loading (e.g. in order to remember user's previous answers) and when submit button is pressed (e.g. in order to save his new answers). Every user has a specific user_id that is located as an attribute in the url of the website. I have only HTML pages, CSS and Javascript that makes some simple functions, as well as received and sends the requests.
The problem is that the server needs an api-key for the request to happen, that I need to be kept hidden, but instead is easily discovered when the user sees the source code. I want this specific line to be hidden, but I guess this is not possible without any backend in the game.
I would like to know the easiest and fastest way to get from this state (just frontend, where every piece of information in the source code is totally insecure) to another where the api-key (at least) is not on the open.
I guess the solution is to use a server for that part but I need suggestion on the easiest transition from my code to another. I tried to use GWT, as I am a bit more familiar with JAVA backend application (but not with GWT), but seems like a big trouble, where I need to change my HTML, my Javascript and also the CSS that I have may not be useful, as well as I face a lot of problems when trying to read my parameters.
I know that it is not the best way but I do not have a lot of time to make it work, so sorry if it seems lazy (I am new to this type of programming), but I haven't found anything helpful and I cannot study for 2 weeks in order to be able to begin implementing it.
Is node.js (which is Javascript and I already have implemented the request sending/receiving in this language) easier than GWT for that matter? Will my sensitive data be secure in that way? I would be grateful if there was a similar sample, that I could start using for my implementation, as I haven't find anything that is specifically helpful for my situation.
Thanks in advance!
NodeJs is not javascript, NodeJs is specific javascript "interpreter" whose is purpose is mainly to be executed server-side. If you have an HTML page, it is likely to be loaded in a web browser (client-side), so not in a NodeJs environnement.
Everything that is hard-coded in the javascript of you web page is visible from the client, there is no way around that. So yes, you need some server-ish thing somewhere.
If you are not to manage a server by yourself or via PaaS, you can go for a serverless architecture. For instance, If you consider AWS which I know the most, you can easilly add some user management to your web page using Aws Cognito User Pool. Once a user is connected and have the good permission, he can be granted access to some other resources via a JWT token that you send along with your request.
I have a static JavaScript-only data visualisation. I want to collect the user's name and email before showing them the visualisation.
I have written a popup form to collect this info. But where can I store it? Do I have to add a whole back-end service and database just to store two variables?
I just need to POST two text strings, safely and reliably, from client-side JavaScript, and download the data as needed. Surely someone must offer a service that allows this? I would happily pay to avoid writing my own backend.
(I've looked at embedding a Mailchimp form, but it's too painful to style it in the way I need - I'd prefer to use my own front-end code.)
Have you looked at Campaign monitor ?
You can create a List that has the name + email then you can push this data to that list using AJAX:
https://www.campaignmonitor.com/appstore/ajax-subscription-form/
AWS Mobile Hub (DynamoDB, Lambda, API Gateway, Cognito)
-Integrated console that helps you create, build, test, and monitor your mobile apps that leverage AWS services
Parse server
-Open source server released by Parse/Facebook to replicate functionality of Parse
remoteStorage
-Everything in one place – your place. Use a storage account with a provider you trust, or set up your own storage server. Move house whenever you want. It's your data.
I am making a small payment system, basically it's just a point system, you pay say 1 USD and you get 100 points which is used later on in a game project to get bonuses. It's a script for game servers, something like a user panel.
Now, the script system is ready, but I'm afraid to give it away, since than someone will share it and it will spread all over the gaming area. What would be the solution keeping it working only if I give them a permission?
I thought about re-making whole code and make it work on my website but I don't think that people will want to put their SQL data to website that located NOT on their host. Please help me out, at least with some clues, maybe its possible to make some widgets? or maybe some license system?
I'm really lost.
You should implement the logic on the server side as an api REST call and include in the script only an ajax call to the api. You can limit the use of the api through an api key that you'll provide only to qualified sites.
You'd need to implement some sort or serverside authentication/api so that only varified users can use the script. Much like how software checks a licence.
On script load your javascript could make a ajax call to a server passing through the users IP, auth key, username etc etc.
This can then be varified on the server, maybe returning a dynamically generated url containing a javascript file which contains your business logic
(so that urls are dynamically generated for that users session only)
That way people cant hot link the script, and the script you give out is solely the ajax call
(With the business logic script injected on auth)
I'm doing educational research about how students use a web quiz as a study tool. I've set up a web quiz that shows photos of plants and asks students to type in the correct scientific name.
http://www.plantsciences.ucdavis.edu/courses/enh6/quiz/quiz_sn.html
Using something like Google Analytics I can see the number of photos students look at (because each new photo involves a request from the server). But I'd also like to know how many times students type in a correct answer and how many times they type in a wrong answer. The form is all checked client-side using javascript, so giving a right or wrong answer doesn't start any communication with the server.
Is there a way to collect this data using cookies or something? Or can I have the form request a certain single-pixel gif with each right or wrong answer, so the server can record what's happening? Or do I need to reprogram everything and have the form get processed on the server to collect this data?
If you only want to record correct/incorrect answers, the simplest thing to do from what you've already got would be to expose an API on your server where you can send the information you want to store. Then, you can make an AJAX request to it after receiving an answer and your client side application will be nicely decoupled from the server side storage.
At this stage though, your application won't know if an error occurs on the server side of things. This may be what you want to happen if such errors shouldn't affect your application's primary behavior, but you may wish to respond with a success/error (most likely using JSON) to allow your application to react accordingly.